Response generation after distributed monitoring and evaluation of multiple devices
First Claim
Patent Images
1. A method comprising:
- at a server, based on a first data collection policy, collecting observation data from a plurality of devices, the collected observation data including information associated with at least one of device configuration, device state, and device behavior;
at the server, determining a normal pattern of activity occurring on the plurality of devices by processing the collected observation data, the normal pattern of activity being associated with at least one of the device configuration, the device state, and the device behavior of the plurality of devices;
at the server, deriving a second data collection policy from the determined normal pattern of activity occurring on the plurality of devices, the second data collection policy being different from the first data collection policy;
at the server, based on the derived second data collection policy, collecting first device data from a first device of the plurality of devices;
at the server, comparing the normal pattern of activity occurring on the plurality of devices with a first pattern of activity occurring on the first device, the first pattern of activity being determined using the first device data;
at the server, determining that a deviation between the normal pattern of activity and the first pattern of activity associated with the first device is outside of a threshold deviation; and
upon the determination, generating alert information by the server, wherein the alert information when processed causes performance of a first action on the first device.
7 Assignments
0 Petitions
Accused Products
Abstract
Data is collected from a set of devices according to a data collection policy. The data is associated with device configuration, device state, or device behavior. A norm is established using the collected data. A different data collection policy is established based on the norm. Data is collected from a particular device according to the different data collection policy. The norm is compared to the data collected from the particular device. If there is a deviation outside of a threshold deviation between the norm and the data collected from the particular device, a response is initiated.
424 Citations
20 Claims
-
1. A method comprising:
-
at a server, based on a first data collection policy, collecting observation data from a plurality of devices, the collected observation data including information associated with at least one of device configuration, device state, and device behavior; at the server, determining a normal pattern of activity occurring on the plurality of devices by processing the collected observation data, the normal pattern of activity being associated with at least one of the device configuration, the device state, and the device behavior of the plurality of devices; at the server, deriving a second data collection policy from the determined normal pattern of activity occurring on the plurality of devices, the second data collection policy being different from the first data collection policy; at the server, based on the derived second data collection policy, collecting first device data from a first device of the plurality of devices; at the server, comparing the normal pattern of activity occurring on the plurality of devices with a first pattern of activity occurring on the first device, the first pattern of activity being determined using the first device data; at the server, determining that a deviation between the normal pattern of activity and the first pattern of activity associated with the first device is outside of a threshold deviation; and upon the determination, generating alert information by the server, wherein the alert information when processed causes performance of a first action on the first device. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method comprising:
-
at a server, based on a first data collection policy, collecting observation data from a plurality of devices, the collected observation data including information associated with at least one of device configuration, device state, and device behavior; at the server, determining a normal pattern of activity occurring on the plurality of devices by processing the collected observation data, the normal pattern of activity being associated with at least one of the device configuration, the device state, and the device behavior of the plurality of devices; at the server, deriving a second data collection policy from the determined normal pattern of activity occurring on the plurality of devices, the second data collection policy being different from the first data collection policy; at the server, based on the derived second data collection policy, collecting first device data from a first device of the plurality of devices; at the server, comparing the normal pattern of activity occurring on the plurality of devices with a first pattern of activity occurring on the first device, the first pattern of activity being determined using the first device data; at the server, determining that a deviation between the normal pattern of activity and the first pattern of activity associated with the first device is outside of a threshold deviation; and upon the determination, generating alert information by the server, wherein the alert information when processed causes at least one of;
the transmitting by the server of a message to an administrator;
the blocking of the first device from accessing a service; and
transmitting to the first device instructions to uninstall an application program on the first device. - View Dependent Claims (7, 8)
-
-
9. A method comprising:
-
at a server, monitoring a plurality of devices for observation data based on a first data monitoring policy, the monitored observation data including information associated with at least one of device configuration, device state, and device behavior; at the server, establishing a normal pattern of activity occurring on the plurality of devices based on the monitored observation data, the normal pattern of activity being associated with at least one of the device configuration, the device state, and the device behavior of the plurality of devices; at the server, deriving a second data monitoring policy from the determined normal pattern of activity occurring on the plurality of devices, the second data monitoring policy being different from the first data monitoring policy; at the server, based on the derived second data monitoring policy, monitoring a first device of the plurality of devices for first device data; at the server, comparing the normal pattern of activity occurring on the plurality of devices with a first pattern of activity occurring on the first device, the first pattern of activity being determined by the monitored first device data; at the server, determining that the first pattern of activity associated with the first device of the plurality of devices is outside of a threshold deviation from the normal pattern of activity; and upon the determination, modifying the second data monitoring policy for monitoring of the first device by the server. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A method comprising:
-
at a server, distributing first policies to a plurality of devices, the plurality of devices includes a first device; at a server, receiving, from the plurality of devices, observation data responsive to the first policies for observation data, the received observation data including information associated with at least one of device configuration, device state, and device behavior; at the server, determining a normal pattern of activity occurring on the plurality of devices using the received observation data, the normal pattern of activity being associated with at least one of the device configuration, the device state, and the device behavior of the plurality of devices; at the server, receiving first device data from a first device of the plurality of devices, the first device data being based on a second policy that has been derived from the normal pattern of activity occurring on the plurality of devices; at the server, determining a first pattern of activity occurring on the first device using the received first device data; at the server, comparing the normal pattern of activity with the first pattern of activity occurring on the first device; at the server, determining that the first pattern of activity deviates from the normal pattern of activity outside of a threshold value; and upon the determination, transmitting by the server, the second policy to the first device to replace the first policy distributed to the first device. - View Dependent Claims (17, 18, 19, 20)
-
Specification